With the growing popularity of Social Networking Services (SNSs), increasing amounts of sensitive information are stored online and linked to SNS accounts. The obvious value of SNS accounts gives rise to the identity fraud problem—unauthorized, stealthy use of SNS accounts. For example, anxious parents may use their children’s SNS accounts to spy on the children’s social interaction; or husbands/wives may check their spouses’ SNS accounts if they suspect infidelity. Stealthy identity fraud could happen to anyone and seriously invade the privacy of account owners. However, there is no known defense against such behavior when an attacker, possibly an acquaintance of the victim, gets access to the victim’s computing devices. In this paper, we propose to extend the use of continuous authentication to detect the in situ identity fraud incidents, which occurs when the attackers use the same accounts, the same devices, and IP addresses as the victims. Using Facebook as a case study, we show that it is possible to detect such incidents by analyzing SNS users’ browsing behavior. Our experiment results demonstrate that the approach can achieve higher than 80% detection accuracy within 2 min, and over 90% after 7 min of observation time.